支持规则集忽略局域网IP

2025-12-11 12:50:26 +08:00 · 2021-12-02 16:08:25 +08:00
parent e31d68c1e1
commit 9d54c17695
4 changed files with 56 additions and 1 deletions
--- a/internal/nodes/waf_manager.go
+++ b/internal/nodes/waf_manager.go
@@ -88,6 +88,7 @@ func (this *WAFManager) convertWAF(policy *firewallconfigs.HTTPFirewallPolicy) (
 					Name:        set.Name,
 					Description: set.Description,
 					Connector:   set.Connector,
+					IgnoreLocal: set.IgnoreLocal,
 				}
 				for _, a := range set.Actions {
 					s.AddAction(a.Code, a.Options)
@@ -143,6 +144,7 @@ func (this *WAFManager) convertWAF(policy *firewallconfigs.HTTPFirewallPolicy) (
 					Name:        set.Name,
 					Description: set.Description,
 					Connector:   set.Connector,
+					IgnoreLocal: set.IgnoreLocal,
 				}

 				for _, a := range set.Actions {
--- a/internal/utils/ip.go
+++ b/internal/utils/ip.go
@@ -24,3 +24,33 @@ func IP2Long(ip string) uint64 {
 	}
 	return uint64(binary.BigEndian.Uint32(s.To4()))
 }
+
+// IsLocalIP 判断是否为本地IP
+func IsLocalIP(ipString string) bool {
+	var ip = net.ParseIP(ipString)
+	if ip == nil {
+		return false
+	}
+
+	// IPv6
+	if strings.Contains(ipString, ":") {
+		if ip.String() == "::1" {
+			return true
+		}
+		return false
+	}
+
+	// IPv4
+	ip = ip.To4()
+	if ip == nil {
+		return false
+	}
+	if ip[0] == 127 ||
+		ip[0] == 10 ||
+		(ip[0] == 172 && ip[1]&0xf0 == 16) ||
+		(ip[0] == 192 && ip[1] == 168) {
+		return true
+	}
+
+	return false
+}
--- a/internal/utils/ip_test.go
+++ b/internal/utils/ip_test.go
@@ -1,6 +1,9 @@
 package utils

-import "testing"
+import (
+	"github.com/iwind/TeaGo/assert"
+	"testing"
+)

 func TestIP2Long(t *testing.T) {
 	t.Log(IP2Long("0.0.0.0"))
@@ -10,3 +13,16 @@ func TestIP2Long(t *testing.T) {
 	t.Log(IP2Long("2001:db8:0:1::102"))
 	t.Log(IP2Long("::1"))
 }
+
+func TestIsLocalIP(t *testing.T) {
+	var a = assert.NewAssertion(t)
+	a.IsFalse(IsLocalIP("a"))
+	a.IsFalse(IsLocalIP("1.2.3"))
+	a.IsTrue(IsLocalIP("127.0.0.1"))
+	a.IsTrue(IsLocalIP("192.168.0.1"))
+	a.IsTrue(IsLocalIP("10.0.0.1"))
+	a.IsTrue(IsLocalIP("172.16.0.1"))
+	a.IsTrue(IsLocalIP("::1"))
+	a.IsFalse(IsLocalIP("::1:2:3"))
+	a.IsFalse(IsLocalIP("8.8.8.8"))
+}
--- a/internal/waf/rule_set.go
+++ b/internal/waf/rule_set.go
@@ -3,6 +3,7 @@ package waf
 import (
 	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/firewallconfigs"
 	"github.com/TeaOSLab/EdgeNode/internal/remotelogs"
+	"github.com/TeaOSLab/EdgeNode/internal/utils"
 	"github.com/TeaOSLab/EdgeNode/internal/waf/requests"
 	"github.com/iwind/TeaGo/lists"
 	"github.com/iwind/TeaGo/maps"
@@ -26,6 +27,7 @@ type RuleSet struct {
 	Rules       []*Rule         `yaml:"rules" json:"rules"`
 	Connector   RuleConnector   `yaml:"connector" json:"connector"` // rules connector
 	Actions     []*ActionConfig `yaml:"actions" json:"actions"`
+	IgnoreLocal bool            `yaml:"ignoreLocal" json:"ignoreLocal"`

 	actionCodes     []string
 	actionInstances []ActionInterface
@@ -163,6 +165,11 @@ func (this *RuleSet) PerformActions(waf *WAF, group *RuleGroup, req requests.Req
 }

 func (this *RuleSet) MatchRequest(req requests.Request) (b bool, err error) {
+	// 是否忽略局域网IP
+	if this.IgnoreLocal && utils.IsLocalIP(req.WAFRemoteIP()) {
+		return false, nil
+	}
+
 	if !this.hasRules {
 		return false, nil
 	}